Firezone is an open-source zero-trust access platform that replaces legacy VPNs with secure, peer-to-peer connections built on WireGuard®. It enables organizations to grant least-privileged access to applications, subnets, and services without exposing them to the public internet. Designed for DevSecOps teams, IT administrators, and security engineers, Firezone solves the complexity and performance bottlenecks of traditional VPNs like OpenVPN by combining WireGuard’s speed with dynamic access policies and identity-aware authentication.
The platform is architected as a monorepo with an Elixir-based admin control plane (Phoenix LiveView UI) and a high-performance Rust data plane including gateways, relays, and cross-platform clients (macOS, iOS, Android, Windows, Linux). It supports self-hosting for non-production use and offers a managed cloud service with enterprise features like directory sync, audit logs, and SLA-backed support. Deployment options include cloud-hosted or on-prem gateways with automatic failover and load balancing.
What You Get
- WireGuard®-based Performance - Delivers 3-4x faster throughput than OpenVPN with sub-10ms latency using the WireGuard protocol and ChaCha20/Poly1305 encryption.
- Peer-to-Peer Hole-Punching - Establishes direct client-to-resource tunnels without routing traffic through a central server, minimizing attack surface and reducing latency.
- Granular Access Policies - Control access to individual apps, subnets, or services using rules based on user groups, device posture, time of day, and location.
- SSO & Directory Sync - Automatically sync users and groups from Google Workspace, Okta, and Entra ID (Azure AD) for seamless onboarding and offboarding.
- Multi-Platform Clients - Native apps for macOS, iOS, Android, ChromeOS, Windows, and Linux with zero-configuration connectivity and persistent network tunnels.
- Automatic Gateway Load Balancing - Deploy multiple gateways to distribute traffic and enable failover without manual configuration or downtime.
- Audit Logs & Compliance - Full activity logging for all connections, with 90-day retention for SOC 2 Type I and II compliance in the managed offering.
- Open Source & Auditable - Entire codebase is open-source (Apache 2.0 + Elastic 2.0), enabling full transparency and security audits by internal teams.
Common Use Cases
- Securing cloud resources for remote teams - A DevOps team uses Firezone to grant secure, policy-based access to AWS and GCP resources without opening public ports or managing complex ACLs.
- Enabling secure remote access to on-prem networks - An IT department connects remote employees to internal services like NAS, databases, and CI/CD tools using Firezone’s hole-punching gateways, keeping firewalls closed.
- Replacing OpenVPN with a zero-trust solution - A mid-sized company migrates from legacy OpenVPN to Firezone to reduce configuration complexity, improve performance, and enforce MFA via Okta integration.
- Managing access to SaaS applications with MFA - A security team enforces two-factor authentication for access to HubSpot, GitHub, and other SaaS tools using Firezone’s OIDC integration without requiring app-level SSO.
Under The Hood
Architecture
- Modular monorepo structure with clearly isolated domains: a Phoenix-based web and API portal, a Rust-powered WireGuard networking backend, and native mobile clients, each with dedicated build contexts and bounded responsibilities
- Microservice-like decomposition enforces separation of concerns, with the portal handling HTTP/API, Rust managing low-level tunneling, and an edge router enforcing network policies
- Dependency injection via environment variables enables dynamic service binding in Elixir, while containerized orchestration with Docker Compose isolates services in custom network namespaces with precise permissions
- Cross-language communication is decoupled through well-defined interfaces—WebSocket connections and shared schemas between Elixir and Rust prevent tight coupling
Tech Stack
- Elixir/Phoenix powers the web portal with LiveView interfaces and HTTP APIs, deployed as containerized release binaries
- Rust serves as the high-performance networking core for WireGuard, integrated into Docker build pipelines with cross-platform tooling
- PostgreSQL is managed through Elixir migrations and containerized with health checks for production reliability
- Unified tooling via mise and pre-commit hooks ensures consistent formatting and dependency management across Elixir, Rust, Kotlin, Swift, and web assets
- Docker Compose orchestrates the full stack with custom network topologies, including simulated latency and elevated network privileges for accurate emulation
Code Quality
- Comprehensive test coverage spans unit, integration, and end-to-end scenarios, validating business rules and edge cases across both Elixir and Rust
- Strong type safety and domain validation are enforced via Ecto changesets with precise, user-friendly error messages
- Consistent, domain-driven naming and clear layer separation enhance code readability and long-term maintainability
- Robust error handling leverages Elixir’s pattern matching and Rust’s Result types to provide contextual, recoverable failures instead of generic exceptions
- Automated testing with fixtures and helpers reduces duplication, while linting and compile-time checks serve as silent guardians of code integrity
What Makes It Unique
- Native DNS-over-HTTPS configuration built into clients, eliminating reliance on external resolvers for secure tunneling
- Unified OIDC/Entra ID authentication with dynamic context routing between portal and admin interfaces in a single cohesive flow
- Automatic version compatibility tracking in the UI, using semantic versioning to prevent deployment mismatches between clients and gateways
- Enterprise-grade identity synchronization with Okta and Entra ID, embedding session lifetime controls directly into the auth model
- Client-side DNS configuration delivered as a backward-compatible API response, enabling seamless platform integration without client updates